Fighting Back Against SSL Inspection, or How SSL Should Work

Presented at ToorCon San Diego 16 (2014), Oct. 26, 2014, 12:30 p.m. (20 minutes).

Enterprises are known to intercept and inspect SSL-protected employee web traffic, often without adequate understanding on the employee’s behalf, and almost certainly without the consent of the entity operating the server. The cases of Trustwave, TURKTRUST, and ANSSI show how the confidentiality of client-server communications is further threatened by the mounting abuse, misuse, incompetence, and compromise of “trusted” certificate authorities. Prior notice and the need to install custom root certificates are no longer technical hurdles impeding SSL interception. This talk will dispatch beliefs that SSL interception is only a client-side concern, and that addressing it using client-side certificates is impractical. We discuss how to leverage built-in browser and server-side capabilities, well-understood in academia but rarely used in practice, to achieve mutual client-server authentication. Using these techniques, the server, too, now has a say in whether its traffic can be intercepted and inspected.


Presenters:

  • Jacob Thompson
    Jacob Thompson is a security analyst at Independent Security Evaluators, a Baltimore, Maryland, company specializing in high-end, custom security assessments of computer hardware and software products. Jacob holds an M.S. in Computer Science from the University of Maryland, Baltimore County. His primary security interests include analyzing commercial software products for design flaws and other vulnerabilities, reverse engineering, and cryptography. Prior to joining ISE, Jacob served as a Computer Science teaching assistant and briefly worked as an intern software engineer developing desktop and embedded applications for process control systems. Jacob has previously presented at DEF CON 21 and the inaugural 2013 B-Sides DC.

Similar Presentations: